How websites are attacked
•
1 j'aime•2,196 vues
Understanding and responding to the five phases of web application abuse
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à How websites are attacked
Similaire à How websites are attacked (20)
Dernier
Dernier (20)
How websites are attacked
- 2. Listen only mode Watch again View slides Submit via panelQ&A
- 4. Al Huizenga Director of Product Management Mykonos Software Kyle Adams Chief Architect Mykonos Software
- 5. Three Goals
- 6. THINK DIFFERENTLY About Web Security
- 9. Today, your Web applications are a black hole
- 10. The Future of Web Security is smart self-defensive applications.
- 11. It’s time to understand and respond to your web attackers
- 13. Free Accounts Created Used as Spam Engine
- 14. What is Web application Abuse? Shopping Cart Manipulation 1 2 3 4 5 6 Social Engineering Confidence Scams Points Systems Defacement of Site Transfer of Funds Data Theft
- 15. Definition Manipulating your site (and its trust) in an attempt to commit fraud, vandalize your brand, and compromise your users’ privacy.
- 16. What does Web Application Abuse look like?
- 17. SALE
- 20. Why does Web Application Abuse happen?
- 21. of all security threats are now at the web application layer Source: Gartner
- 22. of security spending is at the web application layer Source: State of Web Application Security by Ponemon Institute April 2010
- 23. Network Perimeter Network Firewall Database Firewall Servers Databases NIPS HIPS IDS PORT 80 HR Benefits Core Business ApplicationCRM E-commerceMarketing
- 24. of developer headcount is focused on security Source: OWASP Security Spending Benchmarks Project March 2009
- 25. vulnerabilities per web application Source: Web Application Security Council (WASC)
- 26. What are the common characteristics of a Web attack? Automated and/or Distributed Based on Application behavior Hard to filter out
- 27. How does it happen….? Day 1 Attack begins Day X Attack discovered OVER TIME
- 28. Phase 1 Silent Introspection Phase 2 Attack Vector Establishment Phase 3 Attack Implementation Phase 4 Attack Automation Phase 5 Maintenance Five Phases of Web App Abuse
- 29. Phase 1 Silent Introspection Footprint: Low Method: Run a debugger, surf the site, collect data, analyze offline Info Sought: What Web server? Database? Network hardware and software? Programming languages and libraries?
- 31. Phase 2 Attack Vector Establishment Footprint: Higher Techniques: 1. Cloak yourself 2. For all dynamic URLs, test inputs for errors or blind injection to find vulnerabilities 3. For each vulnerability, start structuring your input to shape the error into an attack
- 33. Phase 3 Implementation Footprint: Highest Attack Defined: Now that you know the vector(s), what can you do with them? • Extract/edit/delete DB records or tables? • Infect site with a worm that distributes malware? • Launch a complex phishing scam?
- 35. Phase 4 Automation Footprint: Low Attack Successful: If the attack makes money, you want to do it discretely again and again • Write an attack program script • Buy a pre-fab “Command and Control” kit and raise your own BotNet to attack from
- 36. Phase 5 Maintenance Footprint: Low Attack Successful: Let the money roll in, go do something else Successful automated abuse can exist undetected in maintenance mode for years If a patch disrupts the abuse, oh well. Either refine the vector again, or go hunting elsewhere
- 37. Vulnerability Management Web Application Firewall Phase 1 Silent Introspection Phase 2 Attack Vector Establishment Phase 3 Attack Implementation Phase 4 Attack Automation Phase 5 Maintenance What can you do? Mykonos Security Appliance
- 39. Web Application Intrusion Detection & Prevention The Mykonos Security Appliance. Identify and track attempts to introspect your sites/apps 1 Gain intelligence about behavior & threat level of bad actors 2 Instantly neutralize threats 3
- 40. A New Innovative Approach App Server Client Code Honey-pots Network Perimeter Database Firewall Traps Triggers
- 42. www.MykonosSoftware.com Download Whitepaper Understanding and Responding to the Five Phases of Web Application Abuse
Notes de l'éditeur
- Welcome to this Webinar brought to you by Mykonos Software. Today’s presentation titled “How Web Applications are Attacked” looks at “Understanding and Responding to the Five Phases of Web Application Abuse”. My name is Edward Roberts and I’ll be the moderator for this event. For those of you who are new to Mykonos Software, we are helping companies understand how Web applications are abused by criminal attackers to steal data, commit fraud or even use company bandwidth for un-intended tasks. The Mykonos Security Appliance detects malicious abuse of web applications before the damage is done. This software solution profiles the abuse through intelligence gathering and responds to any abuse in real-time ultimately preventing data theft, fraudulent behavior and misuse of your Web properties.
- You are in listen only mode. We encourage you to ask questions. We will have time to answer them at the conclusion of the presentation. Please use the panel to submit your questions You can view the slides and watch the webinar again on our website with the next 2-3 days.
- Al Huizenga Director of Product Management Al has 11 years experience managing, releasing, and marketing Web-based products and technologies in companies such as Cognos Inc., Platform Computing, and Panorama Software. Kyle Adams Chief Architect: Has final responsibility for code quality and technical excellence. He is a graduate of the Rochester Institute of Technology, earning a Degree in Computer Science with a minor in Criminal Justice. He wrote his first password protection software at age 10, started hacking incessantly, and was writting his own encryption software by age 14. An AJAX expert and enthusiast, Kyle has worked on scores of web application projects.
- Today’s presentation has three goals
- I want you to think differently about security. I will offer a unique way to think about security by understanding the behavior of an attacker rather than concentrating on packets of data.
- Secondly I today you will see how hackers attack a website with real-life techniques that will frighten you in their simplicity.
- And thirdly we want you to help remove Grandma’s frustration because the web is frightening enough to her without having to overcome abuse that she can’t even understand.
- You do not have any visibility into the traffic? Do you know what is normal use? Do you know what is abusive use? Do you know who is introspecting your site? Isn’t it time to understand the behavior of all users on your site rather than just monitoring data packets?
- For too long applications are passive waiting for a malicious user to attack. The future Web security is creating smart self-defensive applications.
- It’s time to understand and respond to your web attackers. But in order to do those two things first you must be able to identify them before they attack your web application.
- What is our background with Web application abuse? Mykonos Software was incubated within Bluetie. One of the first online email and collaboration SaaS providers since 1999. With over 2million users, Bluetie sees its fair share of malicious users. What kind of abuse occurred?
- Bluetie would see abuse where fake accounts are created. The Web application would be used as a spam engine. Attackers would change the web application code and write a script against it to use the resources of Bluetie rather than go for stealing data. It’s a nuisance and wastes company bandwidth and resources and slows down the product to real legitimate users.
- What is Web application Abuse? On the right here we have the ultimate fear which is data theft of credit cards, financial data, SS#’s. But web application abuse can be many different things. Shopping cart manipulation – If you can change the number of items in a cart and not pay for it, it can be very lucrative, and to the company it looks like normal use. Social engineering confidence scams – the recent twitter attack. Points sytems – If you can change the points used you can improve scores in games, change airmiles, change student grades. Defacement of Site – More of an embarrassment and a nuisance but getting the site defaced creates problems for real users who worry about the safety of going to your site. Transfer of funds from one account to another – anytime money is accessible on-line there is the opportunity for some abuse. Data Theft – Credit cards, SS#, personal data, financial data, healthcare data.
- What does Web application abuse look like? As we just stated it can take many forms. Let’s take you through some examples….
- Grandma has been saving up for a flat screen TV. She sees that an online electronics store is going to have a great sale on a particular model on Black Friday. She waits until the minute the sale starts, and goes online to make the purchase. Sadly, younger, more tech savvy shoppers have figured out how to reserve all of the flat screen TVs in inventory by automating the application shopping cart. Grandma is out of luck – even though she jumped in right away to make the purchase, it looks like the store is out of TVs, and she feels ripped off.
- Grandma decides to go online and see Christmas pictures from her family around the US. When she gets into the site, she sees a message from her daughter, and clicks it. Oddly, instead of showing family pictures, the message automatically redirects her to a pornography site. Grandma is shocked, upset, and vows never to go to that social networking site again. Also, she doesn’t know it, but that porn site downloaded a virus to her laptop. Grandma has been compromised.
- The shock took it’s toll on Grandma’s heart, and she goes to her pharmacy’s Web site to get her heart medication prescription refilled. She has an account on the site that contains her Medicare information, including social security number, address, and her CC information too. What she doesn’t know is that the pharmacy Web site has been compromised, and criminals regularly and discretely pull all of that PII from the database, and sell it on the black market. Grandma is a prime candidate for identity theft.
- Why does Web application abuse happen? It’s a factor of where security is today.
- The impact of the web application revolution is that 70% of all threats are now at the web layer According to Gartner
- The focus has been on the network. 93 % of security spending is at the network layer.
- The network has been well secured and the techniques used were effective. Then came web apps and we blew open port 80. We put applications on the web and many companies put the entire business on the web. And this is open to 2 billion users with a browser to use or abuse.
- In almost half of companies (41%), less than 2% of developer headcount is focused on security.
- What does that mean to you? WASC states that the average web application has 12 vulnerabilities. Multiply that by how many web applications your organization has and you’ll see how many options an abusive user has.
- What are the common characteristics of a Web attack? Based on a deep understanding of application behavior Hard to filter out effectively over time Often automated or distributed
- Not a one-time incident (it just gets reported that way) The actual attack vector that works needs to be established first The abuse needs to be tested and automated It has it’s own dev lifecycle
- Examples: Twitter
- Vulnerability management and filtering help…but have their limits Code scanning pre or post compile is hard because who is going to go back and patch all the vulnerabilities that are found. Many are in third party apps, Most companies are not going to re-write all their internal apps. It’s hard to pre-guess all possible vulnerabilities and vectors It’s hard to filter intelligently and dynamically enough New solutions are attempting to hook into the application context, use it to understand abusive behavior, and respond adaptively
- The Mykonos Security Appliance works during the first two phases of the attack. It does three things to help you catch an attacker before the damage is done. 1 Identify and track attempts to introspect your sites/apps. 2. Gain intelligence about behavior & threat level of bad actors 3. Instantly neutralize threats.
- We have an innovative approach. We work as a reverse proxy. We insert detection points into the code as it is delivered to the browser. If an abusive user plays with one of the detection points we deliver a token onto the hackers machine so that we can re-identify them if they return.
- And maybe we wouldn’t annoy our grandma’s if we all went a little more pro-active on our defense of Web application abuse.